jquery - Escape dangerous code when allowing user MySQL filter creation -

-

i can display of release years of films in database. user can pick year , see of films released in year. or can show of genres of movie. user can choose genre , see of movies match criteria. built form in user can dynamically choose own criteria. instance "release date" "is after" "2000" return filtered list.

i wrote unprotected jquery/django code pass filters database. through combination of drop down boxes , user input boxes (exactly see in itunes), using jquery construct filter.

as example, let's user selects in first drop down: "year". second drop down: "is". last input box user enters "2005." criteria put array:

dictionary:  [     {"includes": [["year__iexact", "2005"]],      "excludes": []},      "all"  ]

"includes"/"excludes" separates criteria "is", "is before" things "is not"
"all" designates filter should "match all", not "match any"

this converted json: 

[{"includes":[["year__iexact","2005"]],"excludes":[]},"all"]

and posted django.

the view in django puts data filter: 

incdict[ filter[0].encode('utf-8') ] = filter[1].encode('utf-8')

this becomes:

incdict[ 'year__iexact' ] = 2005

that fed query (as instructed here: 

query_set = film.objects.filter(**incdict)

ok, hope clear. ask how protect against unscrupulous user seeks bypass/exploit input. need escape special characters? data validation? best way protect system?

even if allow freeform data filter() , exclude(), there's no way craft dangerous query them; type of query determined methods called, not data passed.


Comments

Post a Comment

Popular posts from this blog

android - Spacing between the stars of a rating bar? -

-
ho can set spacing beween stars? thats ratingbar: ratingbar = (ratingbar) inflater.inflate(r.layout.ratingbar, null); ratingbar.setlayoutparams(new layoutparams(layoutparams.wrap_content, layoutparams.wrap_content)); the layout: <?xml version="1.0" encoding="utf-8"?> <ratingbar xmlns:android="http://schemas.android.com/apk/res/android" style="@style/mystyle" android:layout_alignparentright="true" android:layout_height="19dp" android:layout_width="wrap_content" android:numstars="5"> </ratingbar> the style: <style name="mystyle" parent="@android:style/widget.ratingbar"> <item name="android:progressdrawable">@drawable/android_r2_ratingstar_yellow</item> <item name="android:indeterminatedrawable">@drawable/android_r2_ratingstar_grey</item> </style> thanks, cheers you have ...
Read more

html - Instapaper-like algorithm -

-
does of algorithm extracts contents webpage? instapaper ? there 2 steps instapaper does: find main content block on page (excluding headers, footers, menus etc) from content block extract , format text to find content block (typically html block element, div containing key page text content) instapaper uses algorithm 1 used readability . can @ source of readability.js see what's going on, @ core tries find area on page highest text/link ratio, although has other simple scoring metrics (e.g. off top of head, things ratio of text commas, para elements etc) go heuristics. once have identified root node element, relevant content, you'll need format it, if want can pull node element containing text out of source document , insert yours, in reality you'll want remove existing styles , apply own, standard , feel. if want output nice text-only can use jericho's renderer . update1 : should mention else instapaper - follow 'pagination' links (...
Read more

c# - How to execute a particular part of code asynchronously in a class -

-
i creating speech recognition engine that's going respond user commands.i have created button enable , disable speech recognition per user convenience.i have used dispose() of speech engine disable speech recoginition.here code private void button1_click(object sender, routedeventargs e) { engineon = !engineon; if (engineon) { speechengine = speech.createspeechengine(); //speech class creates , returns new speech engine. speechengine.audiolevelupdated += new eventhandler<audiolevelupdatedeventargs>(speechengine_audiolevelupdated); // use system's default microphone speechengine.setinputtodefaultaudiodevice(); speechengine.loadgrammar(new dictationgrammar()); // start listening speechengine.recognizeasync(recognizemode.multiple); } else { speechclass.myengine.dispose(); } } but disposal of speech obj...
Read more